CVE-2024-53052

Summary

In the Linux kernel, the following vulnerability has been resolved:

io_uring/rw: fix missing NOWAIT check for O_DIRECT start write

When io_uring starts a write, it'll call kiocb_start_write() to bump the super block rwsem, preventing any freezes from happening while that write is in-flight. The freeze side will grab that rwsem for writing, excluding any new writers from happening and waiting for existing writes to finish. But io_uring unconditionally uses kiocb_start_write(), which will block if someone is currently attempting to freeze the mount point. This causes a deadlock where freeze is waiting for previous writes to complete, but the previous writes cannot complete, as the task that is supposed to complete them is blocked waiting on starting a new write. This results in the following stuck trace showing that dependency with the write blocked starting a new write:

task:fio state:D stack:0 pid:886 tgid:886 ppid:876 Call trace: __switch_to+0x1d8/0x348 __schedule+0x8e8/0x2248 schedule+0x110/0x3f0 percpu_rwsem_wait+0x1e8/0x3f8 __percpu_down_read+0xe8/0x500 io_write+0xbb8/0xff8 io_issue_sqe+0x10c/0x1020 io_submit_sqes+0x614/0x2110 __arm64_sys_io_uring_enter+0x524/0x1038 invoke_syscall+0x74/0x268 el0_svc_common.constprop.0+0x160/0x238 do_el0_svc+0x44/0x60 el0_svc+0x44/0xb0 el0t_64_sync_handler+0x118/0x128 el0t_64_sync+0x168/0x170 INFO: task fsfreeze:7364 blocked for more than 15 seconds. Not tainted 6.12.0-rc5-00063-g76aaf945701c #7963

with the attempting freezer stuck trying to grab the rwsem:

task:fsfreeze state:D stack:0 pid:7364 tgid:7364 ppid:995 Call trace: __switch_to+0x1d8/0x348 __schedule+0x8e8/0x2248 schedule+0x110/0x3f0 percpu_down_write+0x2b0/0x680 freeze_super+0x248/0x8a8 do_vfs_ioctl+0x149c/0x1b18 __arm64_sys_ioctl+0xd0/0x1a0 invoke_syscall+0x74/0x268 el0_svc_common.constprop.0+0x160/0x238 do_el0_svc+0x44/0x60 el0_svc+0x44/0xb0 el0t_64_sync_handler+0x118/0x128 el0t_64_sync+0x168/0x170

Fix this by having the io_uring side honor IOCB_NOWAIT, and only attempt a blocking grab of the super block rwsem if it isn't set. For normal issue where IOCB_NOWAIT would always be set, this returns -EAGAIN which will have io_uring core issue a blocking attempt of the write. That will in turn also get completions run, ensuring forward progress.

Since freezing requires CAP_SYS_ADMIN in the first place, this isn't something that can be triggered by a regular user.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux2b188cc1bb857a9d4701ae59aa7768b5124e262e < 485d9232112b17f389b29497ff41b97b3189546baffected
LinuxLinux2b188cc1bb857a9d4701ae59aa7768b5124e262e < 4e24041ba86d50aaa4c792ae2c88ed01b3d96243affected
LinuxLinux2b188cc1bb857a9d4701ae59aa7768b5124e262e < 9e8debb8e51354b201db494689198078ec2c1e75affected
LinuxLinux2b188cc1bb857a9d4701ae59aa7768b5124e262e < 003d2996964c03dfd34860500428f4cdf1f5879eaffected
LinuxLinux2b188cc1bb857a9d4701ae59aa7768b5124e262e < 26b8c48f369b7591f5679e0b90612f4862a32929affected
LinuxLinux2b188cc1bb857a9d4701ae59aa7768b5124e262e < 1d60d74e852647255bd8e76f5a22dc42531e4389affected
LinuxLinux5.1affected
LinuxLinux0 < 5.1unaffected
LinuxLinux5.10.230 <= 5.10.*unaffected
LinuxLinux5.15.172 <= 5.15.*unaffected
LinuxLinux6.1.116 <= 6.1.*unaffected
LinuxLinux6.6.60 <= 6.6.*unaffected
LinuxLinux6.11.7 <= 6.11.*unaffected
LinuxLinux6.12 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References